Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

A silver ticket is a forged Kerberos service ticket (TGS) encrypted and signed with the target service account’s own secret key. Unlike a golden ticket, which requires the KRBTGT key and a round-trip through the KDC, a silver ticket is constructed entirely offline — no domain controller contact is required at forge time. The ticket grants the bearer access to the specific service identified by the SPN. Because it is never issued by the KDC, the KDC’s KDCChecksum field cannot be verified by default; the /krbkey flag remedies this by computing the checksum with the KRBTGT key.

Differences from Golden Tickets

AspectGolden TicketSilver Ticket
Signing keyKRBTGT (krbtgt/domain)Service account key
ScopeAny service in the domainSingle service SPN only
DC contact required to forgeNoNo
KDC validates checksumYes (KDCChecksum uses KRBTGT)Only if /krbkey is supplied
Detection surfaceHigh (KRBTGT key compromise)Lower (individual service key)

Flag Reference

Cryptographic Key (required — pick one)

/des
HASH
DES (des_cbc_md5) key for the service account.
/rc4
HASH
RC4/NTLM key for the service account. Alias: /ntlm.
/ntlm
HASH
Alias for /rc4. RC4/NTLM key for the service account.
/aes128
HASH
AES-128 key for the service account.
/aes256
HASH
AES-256 key for the service account.
/enctype
DES|RC4|AES128|AES256
Explicitly specify the encryption type. Accepts DES, RC4, NTLM, AES128, AES256, or AES.

Identity (required)

/user
USERNAME
Username to embed in the ticket PAC. Accepts DOMAIN\user format; the domain component also sets /domain.
/service
SPN
Target SPN in svc/host.domain.com or host@domain.com format. Required. Both /s4uproxytarget and /s4utransitedservices must be supplied together if either is used.

LDAP Auto-fill

/ldap
flag
Query Active Directory over LDAPS (falling back to LDAP) to automatically populate all PAC fields for the specified user, including real group memberships, SID, display name, and password policy timestamps.
/creduser
DOMAIN\USERNAME
Alternate credential username (in domain.com\user format) for the LDAP query. Must be paired with /credpassword.
/credpassword
PASSWORD
Password for the alternate LDAP credential specified by /creduser.

Domain and DC

/domain
DOMAIN
Fully-qualified domain name. Required in explicit mode; optional override in LDAP mode.
/sid
DOMAIN_SID
Domain SID. Required in explicit mode (without /ldap).
/dc
DOMAIN_CONTROLLER
Hostname or IP of the domain controller to use for LDAP queries.
/netbios
NETBIOS_DOMAIN
NetBIOS domain name stored in the PAC LogonDomainName field.

KDC Checksum

/krbkey
HASH
KRBTGT key used to compute the KDCChecksum and TicketChecksum in the PAC. When omitted, the service key is used for both checksums and the ticket will fail strict KDC checksum validation.
/krbenctype
DES|RC4|AES128|AES256
Encryption type for the KDC checksum. Requires /krbkey. Defaults to AES256.

Client Name and Realm Override

/cname
CLIENTNAME
Override the client name (cname) in the ticket. Defaults to the value of /user.
/crealm
CLIENTDOMAIN
Override the client realm (crealm) in the ticket. Defaults to /domain.

S4U Delegation Info

/s4uproxytarget
SPN
Target SPN for S4U delegation. Adds an S4UDelegationInfo PAC buffer that mimics a constrained delegation ticket. Must be supplied together with /s4utransitedservices.
/s4utransitedservices
SPN1,SPN2
Comma-separated list of transited services for the S4UDelegationInfo PAC section. Must be supplied together with /s4uproxytarget.

PAC Options

/newpac
flag
Force inclusion of the new PAC format buffers (Attributes and Requestor sections). By default for silver tickets these are omitted unless this flag is passed.
/nofullpacsig
flag
Exclude the FullPacChecksum buffer from the forged ticket. Necessary when targeting services on Windows versions that have not yet enforced the full PAC signature requirement (pre-KB5020805 behaviour).
/extendedupndns
flag
Include the extended UPN and DNS info (SAM name and SID) in the UpnDns PAC buffer.
/authdata
flag
Append authorization-data sections to the ticket, matching the structure of tickets issued by a real KDC with compound identity.

PAC Identity Fields

/id
USER_ID
User RID in the PAC. Defaults to 500.
/pgid
PRIMARY_GID
Primary group RID. Defaults to 513 (Domain Users).
/groups
GROUP_IDS
Comma-separated group RIDs embedded in the PAC.
/sids
EXTRA_SIDS
Comma-separated extra SIDs added to the ExtraSids PAC field.
/resourcegroupsid
SID
SID of the resource domain for resource group membership. Must be paired with /resourcegroups.
/resourcegroups
GROUP_IDS
Comma-separated resource group RIDs within the domain identified by /resourcegroupsid.
/uac
UAC_FLAGS
Comma-separated PacUserAccountControl flags. Defaults to NORMAL_ACCOUNT.
/flags
TICKET_FLAGS
Comma-separated Kerberos ticket flags. Defaults to forwardable,renewable,pre_authent.
/displayname
PAC_FULL_NAME
Full display name in the PAC FullName field.
/badpwdcount
INTEGER
Bad-password count in the PAC.

PAC Logon and Password Timestamps

/lastlogon
LOGON_TIMESTAMP
Last logon time written to the PAC LogonTime field. Accepts a local-time string (e.g. "01/01/2024 08:00:00").
/logofftime
LOGOFF_TIMESTAMP
Logoff time written to the PAC LogoffTime field. Accepts a local-time string.
/pwdlastset
PASSWORD_CHANGE_TIMESTAMP
Password last set time written to the PAC PasswordLastSet field. Accepts a local-time string.
/maxpassage
DAYS
Maximum password age in days, used to compute the PAC PasswordMustChange field relative to /pwdlastset.
/minpassage
DAYS
Minimum password age in days, used to compute the PAC PasswordCanChange field relative to /pwdlastset.
/logoncount
INTEGER
Logon count written to the PAC LogonCount field.

PAC Profile Fields

/homedir
HOMEDIR
Home directory path written to the PAC HomeDirectory field.
/homedrive
HOMEDRIVE
Home drive letter written to the PAC HomeDirectoryDrive field (e.g. H:).
/profilepath
PROFILE_PATH
Profile path written to the PAC ProfilePath field.
/scriptpath
LOGON_SCRIPT_PATH
Logon script path written to the PAC LogonScript field.

Timestamps

/starttime
TIMESTAMP
Ticket start time as a local-time string. Defaults to current UTC time.
/endtime
RELATIVE
Ticket end time as a duration relative to start time (e.g. 10h, 7d).
/renewtill
RELATIVE
Renew-till time as a duration relative to start time.
/authtime
TIMESTAMP
Authentication time embedded in the ticket.
/rangeend
RELATIVE
Generate a series of tickets from /starttime up to this end point.
/rangeinterval
RELATIVE_INTERVAL
Interval between tickets when using /rangeend. Defaults to 1d.

Output and Injection

/printcmd
flag
Print a Rubeus command line that reproduces the forged ticket from explicit values, avoiding future LDAP contact.
/outfile
FILENAME
Write the resulting .kirbi to this file (suffixed with timestamp and user/service names).
/ptt
flag
Inject the forged ticket directly into the current logon session via LSASS (pass-the-ticket).

Usage Examples

Rubeus.exe silver /aes256:3B8A2F1C7D9E4B0A6C5D8F2E1A3B7C9D0E4F6A8B2C1D3E5F7A9B0C2D4E6F8A0B /user:jdoe /service:cifs/fileserver.corp.example.com /ldap /ptt
The /nofullpacsig flag is required when targeting Windows hosts that have not yet applied the enforcement phase of the PAC signature hardening update (KB5020805). From the November 2023 enforcement deadline onward, domain controllers reject service tickets whose FullPacChecksum is missing or invalid, so omitting /nofullpacsig on patched environments will cause the ticket to be rejected. Use /krbkey to supply the KRBTGT key and generate a correctly signed FullPacChecksum when targeting fully patched environments.

Build docs developers (and LLMs) love